Closed Bug 811616 Opened 10 years ago Closed 10 years ago

"Assertion failure: [infer failure] Missing type pushed 0: string," or "Assertion failure: [infer failure] Missing type pushed 0: int,"

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- unaffected
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Attachments

(2 files)

Attached file stack
"".replace(RegExp(), Array.reduce)

asserts js debug shell on m-c changeset 4e9567eeb09e with --ion-eager at Assertion failure: [infer failure] Missing type pushed 0: string,

s-s and assuming sec-critical because this is an type inference failure, which is usually bad. Setting fuzzblocker because this is blowing up the fuzzers.

See bug 811606 and bug 811612.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   113105:3da143341145
user:        Till Schneidereit
date:        Tue Aug 28 14:35:15 2012 +0200
summary:     Bug 784294 - Convert some array extras to self-hosted js implementations. r=Waldo
This may also be related:

[0,0].sort(Array.reduce,RegExp())

Assertion failure: [infer failure] Missing type pushed 0: int,
Summary: "Assertion failure: [infer failure] Missing type pushed 0: string," → "Assertion failure: [infer failure] Missing type pushed 0: string," or "Assertion failure: [infer failure] Missing type pushed 0: int,"
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd68409d7810).
Bug 784294 was backed out in https://hg.mozilla.org/mozilla-central/rev/dd68409d7810 - "fixing" this.

Till, please add this testcase to future revised patches.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
I think we can make this public, as the causing code never made a Nightly.
Group: core-security
Target Milestone: --- → mozilla19
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.